I tried with following tests: <br>1) <br>add "firewall_driver = nova.virt.firewall.IptablesFirewallDriver" to nova.conf<br>restart nova-compute<br>Change the following lines in /usr/share/pyshared/nova/virt/libvirt/firewall.py<br>
self._define_filter(self._filter_container('nova-base',<br> ['no-mac-spoofing',<br> 'no-ip-spoofing',<br>
'no-arp-spoofing',<br> 'allow-dhcp-server']))<br>to <br> self._define_filter(self._filter_container('nova-base',<br>
['allow-dhcp-server']))<br>then flush ebtables ruleset : ebtables -t nat -F<br>stop libvirt-bin & start libvirt-bin<br>Still generate the anti-spoofing rules<br>
<br>2) <br>change the action='drop' with 'accept' to following XML files<br><span style="font-size:12pt;font-family:"Times New Roman","serif"" lang="EN-US">sed
-i "s/action='drop'/ action='accept'/g" /etc/libvirt/nwfilter/no-arp-ip-spoofing.xml<br>
sed -i "s/action='drop'/ action='accept'/g" </span><span style lang="EN-US">/etc/libvirt/nwfilter/</span><span style="font-size:12pt;font-family:"Times New Roman","serif"" lang="EN-US">no-arp-mac-spoofing.xml<br>
sed -i "s/action='drop'/ action='accept'/g" </span><span style lang="EN-US">/etc/libvirt/nwfilter/</span><span style="font-size:12pt;font-family:"Times New Roman","serif"" lang="EN-US">no-ip-spoofing.xml<br>
sed -i "s/action='drop'/ action='accept'/g" </span><span style lang="EN-US">/etc/libvirt/nwfilter/</span><span style="font-size:12pt;font-family:"Times New Roman","serif"" lang="EN-US">no-mac-broadcast.xml<br>
sed -i "s/action='drop'/ action='accept'/g" </span><span style lang="EN-US">/etc/libvirt/nwfilter/</span><span style="font-size:12pt;font-family:"Times New Roman","serif"" lang="EN-US">no-mac-spoofing.xml<br>
sed -i "s/action='drop'/ action='accept'/g" </span><span style lang="EN-US">/etc/libvirt/nwfilter/</span><span style="font-size:12pt;font-family:"Times New Roman","serif"" lang="EN-US">no-other-l2-traffic.xml<br>
sed -i "s/action='drop'/ action='accept'/g" </span><span style lang="EN-US">/etc/libvirt/nwfilter/</span><span style="font-size:12pt;font-family:"Times New Roman","serif"" lang="EN-US">no-other-rarp-traffic.xml<br style>
<br></span>then flush ebtables ruleset : ebtables -t nat -F<br>
stop libvirt-bin & start libvirt-bin<br><br>Okay, I can see accept rules, but the kvm processes is also gone at the same time.<br>Don't know why.<br><br>still waiting for some help!!<br><br>-Jimmy<br style><span style lang="EN-US">
</span><br><br><br> <br><br><div class="gmail_quote">2012/5/3 Yong Sheng Gong <span dir="ltr"><<a href="mailto:gongysh@cn.ibm.com" target="_blank">gongysh@cn.ibm.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<font face="Default Sans Serif,Verdana,Arial,Helvetica,sans-serif"><div>It seems change <a href="https://review.openstack.org/#/c/6569/" target="_blank">https://review.openstack.org/#/c/6569/</a> can help. Please see how it add a new configuration item to remove some filters.<br>
</div><div><br><div><br></div><font color="#990099">-----openstack-bounces+gongysh=<a href="mailto:cn.ibm.com@lists.launchpad.net" target="_blank">cn.ibm.com@lists.launchpad.net</a> wrote: -----<br><br></font><blockquote style="padding-right:0px;padding-left:5px;margin-left:5px;border-left:2px solid #000000;margin-right:0px">
To: Mike Scherbakov <a href="mailto:mihgen@gmail.com" target="_blank"><mihgen@gmail.com></a><br>From: Jimmy Tsai <a href="mailto:cmingt@gmail.com" target="_blank"><cmingt@gmail.com></a><br>Sent by: <a href="mailto:openstack-bounces+gongysh=cn.ibm.com@lists.launchpad.net" target="_blank">openstack-bounces+gongysh=cn.ibm.com@lists.launchpad.net</a><br>
Date: 05/03/2012 01:45AM<br>Cc: <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a>, <a href="mailto:jimmy.tsai@104.com.tw" target="_blank">jimmy.tsai@104.com.tw</a><br>Subject: Re: [Openstack] questions about IP addressing and network config<div>
<div class="h5"><br><br><div class="gmail_extra">Hi Mike,<br><br>I really need to bind loopback IP on my environment, I use the command "ebtables -t nat -F" will flush the ebtables rule, so I can bind any IP I wish,<br>
but if I do stop libvirt-bin and start libvir-bin, the security rules will be applied again, <br>
if I remark no-ip-spoofing & no-arp-spoofing on file /etc/libvirt/nwfilter/nova-base.xml, after launching a instance, the file will reset to default, <br>I think I use the wrong way, Is there any way to ignore the nova-base rule on /usr/lib/python2.7/dist-packages/nova/virt/libvirt/firewall.py ? <br>
<br>Thanks for you help.<br>-Jimmy<br><br><div class="gmail_quote">2012/4/27 Mike Scherbakov <span dir="ltr"><<a href="mailto:mihgen@gmail.com" target="_blank">mihgen@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid #cccccc;padding-left:1ex">
<div class="gmail_extra">Jimmy,</div><div class="gmail_extra">Nova is designed to manage IP addresses.</div><div class="gmail_extra">That means that even with Flat manager it will be allocating IP addresses for you,</div>
<div class="gmail_extra">
storing them in DB. The difference btw FlatDHCP is Flat injects /etc/network/interfaces to the instance,</div><div class="gmail_extra">not providing IP by DHCP. So, anti-spoofing rules should be the same (I never checked though for Flat).</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">If you want to provide your own addresses to instances, I believe you will need to extend nova code</div><div class="gmail_extra">to provide your custom IP address in API request, and then if it's not already allocated, it should get allocated.</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">Regards,</div><div class="gmail_extra"><div><div><br><div class="gmail_quote">On Fri, Apr 27, 2012 at 3:27 PM, Jimmy Tsai <span dir="ltr"><<a href="mailto:cmingt@gmail.com" target="_blank">cmingt@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid #cccccc;padding-left:1ex"><div class="gmail_extra">Thanks Vish & Mike.<br><br>It works very well after flush the anti-spoofing rules , I change the IP address and bind alias IP to an interface, <br>
but when I restart nova-network and nova-compute , I can't ping neither the IP I changed nor the instances I haven't changed.<br>
I'll try to figure out what happened with that !!<br><br>Even I change the IP address, I can't not see the correct address on Dashboard, because the record of nova.fixed_ips not changed.<br>I should try with FlatManager to allocate static IP.<br>
<br>Thanks,<br>-Jimmy<div><div><br><br><div class="gmail_quote">2012/4/27 Mike Scherbakov <span dir="ltr"><<a href="mailto:mihgen@gmail.com" target="_blank">mihgen@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid #cccccc;padding-left:1ex">
<div class="gmail_extra"><br><br><div class="gmail_quote"><div>On Thu, Apr 26, 2012 at 10:31 PM, Vishvananda Ishaya <span dir="ltr"><<a href="mailto:vishvananda@gmail.com" target="_blank">vishvananda@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid #cccccc;padding-left:1ex"><div><br>
On Apr 25, 2012, at 7:31 PM, Jimmy Tsai wrote:<br><br>
><br>
> Hi everyone,<br>
><br>
> I'm running with Essex 2012.1,<br>
> and have some questions about the nova network operation,<br>
><br>
> 1. Is it possible manually assigned IP address to a launched instance, my situation is :<br>
> after instance boot up (OS: CentOS 6.2), I changed the /etc/sysconfig/network-scripts/ifcfg-eth0 setting<br>
> from dhcp to static (the same subnet as created by command : nova-manage create network....), and restart the network service,<br>
> And then I couldn't ssh or ping the instance from other server with the same subnet.<br>
> What is the problem ? I checked the iptables policies on the compute host, and find nothing about the DROP packets.<br>
> I also tried to changed the record from nova.fixed_ips table and libvirt.xml of the instance, then reboot the instance, still not worked.<br>
> I used FlatDHCP as my network manager.<br><br>
</div>You can't do this. Libvirt sets up no mac spoofing and no ip spoofing so the ip address needs to match the dhcp'd one. You should be able to switch to a static and use the same info that you get from dhcp though.<br>
<div>><br>
> 2. According to the first question, I have another requirement to set up a loopback IP address (lo:0) on the running instance, after setting was completed,I couldn't ping or ssh the loopback IP from the same subnet, and I tried to set a alias IP address with eth0:0, but still not get worked.<br>
> Any ideas with this ?</div></blockquote><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid #cccccc;padding-left:1ex"><div><br>
</div>Not sure<br></blockquote></div><div>I guess it's the same issue as with setting a different IP from what dnsmasq provided. You can try ebtables -F; ebtables -t nat -F to flush those anti spoofing rules. <br></div>
</div></div></blockquote><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid #cccccc;padding-left:1ex"><div class="gmail_extra"><div class="gmail_quote"><div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid #cccccc;padding-left:1ex">
<div><br>
><br>
> 3. Is there any way to use 2 NICs with different subnets on instances? I want to separate the network traffic.<br>
> Now I'm running with one bridged interface (br100), and it works well. In order to backup the large log files,<br>
> I'm planing to use 2 NICs for the compute hosts, I want use 2 vNICs on instance, one for web service and the other for log backup,<br>
> I think I should create a new network for the second bridged interface, but I can't find any document to guild me.<br><br>
</div>This is definitely possible with FlatManager (You could use cloud_config drive and some version of contrib/openstack-config converted to work with centos to set up the interfaces)<br><br>
It was possible at one point with FlatDHCPManager as well by creating multiple networks and using a specific combination of config options like use_single_default_gateway. I don' t know if anyone has tried this for a while so there may be issues with it. You might try creating a second network and setting use_single_default_gateway and see what happens.<br>
</blockquote></div><div>Confirm that it works with Essex release.</div><div>If you don't specify use_single_default_gateway=true your default route will be jumping from one interface to another. If you both subnets are covered by --fixed_network, it's fine even without setting the use_single_default_gateway.</div>
<div><br></div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid #cccccc;padding-left:1ex"><div><br>
There are plans underway to support this by only dhcping the first interface and allowing a guest agent to set up the other interfaces, but it isn't in place yet.<br><br>
Vish<br></div>
_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><span><font color="#888888"><br>
</font></span></blockquote></div><span><font color="#888888"><br><br clear="all"><div><br></div>-- <br>Mike Scherbakov<br>
</font></span></div>
</blockquote></div><br></div></div></div>
</blockquote></div><br><br clear="all"><div><br></div></div></div><span><font color="#888888">-- <br>Mike Scherbakov<br>
</font></span></div>
</blockquote></div><br></div>
<font face="Courier New,Courier,monospace" size="3">_______________________________________________<br>Mailing list: <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/%7Eopenstack" target="_blank">https://launchpad.net/~openstack</a><br>More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
</font>
</div></div></blockquote><br></div></font>
<br>
</blockquote></div><br>